While many consider ditching Google, including its web browser Chrome, due to privacy concerns and in response to recent actions, Firefox has been one of the primary alternate options. A recent Firefox exploit demonstration that uses a combination of a malicious HTML file, ClickJacking, iframe and SSH bugs may change that. (Proof of Concept video)
While news of another broad base vulnerability is not surprising, the fact that it’s been known about for 17 years is startling! Put simply, it’s now known that this weakness allows a hacker to access all files in the same folder and its subfolders that contain the malicious HTML file you unwittingly downloaded and didn’t realize you clicked on. Previously this was not seen as an issue and was used in SOP (Same-Origin Policy, which is a considered a critical security mechanism) that allows scripts to access files in the same local location, speeding things up for your browsing pleasure. This is now a major issue after a researcher, Barak Tawily, found a way to remotely gain access to, and subsequently, steal these files and transfer them to a remote server. While Barak is the first to publicly disclose the information of this vulnerability, who’s to say that others haven’t used it in the past. In 2015 a similar vulnerability within SOP was found being used in the wild.
The response from Mozilla seemed to downplay the risk and leads one to believe there are no plans to fix the issue. So, what can you do? At this point, it’s best to just not use Firefox until they find a way to fix this. Why? Just going to a website that contains the malicious HTML file can easily fool a person to click on things, like something that looks like, but are not actually, those “Do you want to allow this site to give notifications?”, “Allow/Deny” (kind of like the one you likely clicked when you accessed this article – and no, we didn’t code ours to be malicious…) and just clicking that can give the hacker access, and you’re none the wiser.
For more in-depth information: https://thehackernews.com/2019/07/firefox-same-origin-policy-hacking.html